这是处理信用卡付款的正确方法吗？

Question

I have a 3-page checkout process. The first page is Customer information. The second page is card information. The third page is review & confirm order.

I'm using the paypal api to handle payments processing. Right now I have the payments page setup with the request parameters for the paypal api stored in an array, and after the customer clicks confirm & pay, I send the request over the paypal api. Is this a proper way to handle credit card payments? Would I just have to store the $nvp_string using mcrypt or some other encryption method? or temporarily store in a database and delete the info after the order is paid?

Payment Information Page

// Store request params in an array THESE ARE STATIC VARIABLES FOR TESTING
$request_params = array
                (
                'METHOD' => 'DoDirectPayment', 
                'USER' => $api_username, 
                'PWD' => $api_password, 
                'SIGNATURE' => $api_signature, 
                'VERSION' => $api_version, 
                'PAYMENTACTION' => 'Sale',                   
                'IPADDRESS' => $_SERVER['REMOTE_ADDR'],
                'CREDITCARDTYPE' => 'MasterCard', 
                'ACCT' => '5522340006063638',                        
                'EXPDATE' => '022018',           
                'CVV2' => '456', 
                'FIRSTNAME' => 'Tester', 
                'LASTNAME' => 'Testerson', 
                'STREET' => '707 W. Bay Drive', 
                'CITY' => 'Largo', 
                'STATE' => 'FL',                     
                'COUNTRYCODE' => 'US', 
                'ZIP' => '33770', 
                'AMT' => '100.00', 
                'CURRENCYCODE' => 'USD', 
                'DESC' => 'Testing Payments Pro'
                );

// Loop through $request_params array to generate the NVP string.
$nvp_string = '';
foreach($request_params as $var=>$val)
{
    $nvp_string .= '&'.$var.'='.urlencode($val);    
}

Confirm & Pay Page

// Send NVP string to PayPal and store response
$curl = curl_init();
        curl_setopt($curl, CURLOPT_VERBOSE, 1);
        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
        curl_setopt($curl, CURLOPT_TIMEOUT, 30);
        curl_setopt($curl, CURLOPT_URL, $api_endpoint);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_POSTFIELDS, $nvp_string);

$result = curl_exec($curl);     
curl_close($curl);

// Parse the API response
$nvp_response_array = parse_str($result);

Answer 1

Storage of variables in a database for a 3 step process is an idea that's really fraught with issues. For one, you never want to get into the credit card info storage business, and it may actually be against TOS based on your payment provider and other factors. You'd have to consider things like abandoned processes too.

When I build a site like this, I'll have a 3 (or more) step process, but it's all in one page. Build 3 different "screens" in divs/templates on one file and then toggle between those divs/templates without changing files. This way, the data is still in one common form (which spans the 3 divs/templates) and I don't have to deal with storage of variables on a session or database at all. It's also lightning quick to toggle between. Really, your only consideration of any significance is handling back button behavior, which can be accomplished with URL hashing. When you've reached the last screen in your process, simply submit the form.